Healthcare providers frequently allow patients to access their electronic health records (EHRs) through a patient portal. Online patient portals allow patients to view their medical records, schedule appointments, and even request refills of prescriptions, anywhere the patient has access to the Internet.
Patient portals contain information that constitutes electronic protected health information (ePHI) under the HIPAA Security Rule. ePHI is defined as any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media.
Under the Security Rule, covered entities (CEs) and business associates (BAs) must develop effective administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of ePHI – including patient portal ePHI.
Patient portal apps and software must be secure, or be rendered secure.
What Must be Done to Secure Patient Portals under the HIPAA Security Rule?
Under the Security Rule, healthcare organizations must implement “reasonable and appropriate” cybersecurity measures to prevent data breaches. “Reasonable and appropriate” cybersecurity measures are those measures, taken within reason, that are proper under the circumstances.
One standard with which covered entities and business associates must comply is known as the Person or Entity Authentication standard. This standard requires an organization to “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
Recently, to learn more about how healthcare organizations are meeting this challenge, LexisNexis® Risk Solutions, in collaboration with the Information Security Media Group, conducted a survey about healthcare organization cybersecurity strategies and patient identity management practices. The survey results revealed that most of the organizations only required that patients input a username or password; a “knowledge” question (i.e., a question pre-selected and pre-answered by the patient, such as, “What was the make and model of your first car?”); and email verification (the email verification process consists of the entity’s sending an email message to the email address provided by the patient. The patient, upon receipt of the email, must click on a link or take some other specified action to “verify” that the message was received by him or her at the provided address).
The study also found that less than ⅔ of the respondents reported using multifactor authentication. Multifactor authentication, known as MFA, requires users to provide multiple ways to authenticate that it is them, such entering as a password in combination with a fingerprint scan, or a password in combination with a code sent to their phone for one-time use. Through MFA, the user’s identity is identified in at least two ways.
Hackers have not stood still in the face of this limited amount of MFA adoption. In fact, the number of patient records being breached has risen to its highest level ever. Through the first half of June of 2019, 25 million patient records have already been breached. Many of these breaches have been caused by hackers, who sell patient records on the black market and dark web.
In light of these startling figures, MFA is an eminently reasonable and appropriate cybersecurity measure. This is not because MFA has some magical properties that cause hackers to disappear. Rather, if an organization has not implemented MFA, its antivirus, firewall, and encryption measures are subject to being bypassed. Adding MFA provides an extra layer of protection for ePHI.
Compliancy Group Simplifies HIPAA Compliance
Covered entities can address their obligations under the HIPAA Security Rule by working with Compliancy Group to develop required Security Rule safeguards.
Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address HIPAA Security Rule standards – including the tools to develop secure patient portals — so they can get back to confidently running their business.
Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and Maintain™ their HIPAA compliance!
Need Help with HIPAA?
Let our complete HIPAA solution handle it.